I did had to setup HTTPS inspection and here is the way I did it.
You can use the gaia in expert mode to generate the ssl request with openSSL.
I would refer you to this article where you will find great information regarding the use of openSSL :
ssl - How to create a self-signed certificate with openssl? - Stack Overflow
You should use at minimum sha256 and RSA2048 for the public key.
Also, make sure the key is exported when signing the certificate and get the file as a pkcs12 format if possible.
Make sure the authority is signing the certificate with correct "certificate signing role" becose it will not work.
The certificate need to be consider as an intermediate CA.
Hope it help.